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(54) A method for altering encryption status in a relation database in a continuous process 



(57) A method for altering encryption status in a re- 
lational database in a continuous process, wherein at 
least one table of said database comprises at least one 
base area and at least one maintenance area, compris- 
ing the steps of: copying all records from said base area 
to said maintenance area; directing action of commands 
intended for said base area to said maintenance area; 
altering encryption status of said base area; copying all 
data records from said maintenance area to said base 
area; and redirecting action of commands to said base 
area. 
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[0001 ] The present invention relates to a method for altering encryption status in a relational database in a continuous 
process reducing the need for taking the database offline. 

Background of the invention 

[0002J In order to protect information stored in a database, it is known to store sensitive data encrypted in the data- 
base. To access such encrypted data you have to decrypt it, which could only be done by knowing the encryption 
algorithm and the specific decryption key being used. The access to the decryption keys could be limited to certain 
users of the database system, and further, different users could be given different access rights. 
[0003J Specifically, it is preferred to use a so-called granular security solution for the encryption of databases, instead 
of building walls around servers or hard drives. In such a solution, which is described in the document WO 97/49211 
by the same applicant, a protective layer of encryption is provided around specific sensitive data-items or objects. This 
prevents outside attacks as well as infiltration from within the server itself. This also allows the system manager to 
define which data stored in databases are sensitive and thereby focusing the protection only on the sensitive data, 
which in turn minimizes the delays or burdens on the system that may occur from other bulk encryption methods. 
[0004] Most preferably the encryption is made on such a basic level as in the column level of the databases. En- 
cryption of whole files, tables or databases is not so granular, and does thus encrypt even non-sensitive data. It is 
further possible to assign different encryption keys of the same algorithm to different data columns. With multiple keys 
in place, intruders are prevented from gaining full access to any database since a different key could protect each 
column of encrypted data. 

[0005] However, there are problems with the previously known database encryption methods. Especially there is a 
problem when the system manager wants to change which columns that are to be encrypted and which are not to be 
encrypted, in a 7 days by 24 hours operational database, since the database has to be taken out of operation when 
encryption is to be added or removed, or changed, to a column. 

[0006] In most commercial applications accessibility is a critical Issue. On the Internet, especially in web-based 
applications, customers expect a service to be accessible when they want to use it. 

[0007] Current encryption systems which encrypts data in databases, especially commercial relational databases, 
has to be taken offline or be only partly available when adding or removing encryption on data. 

Object of the invention 

[0008] It is therefore an object of the present invention to provide a method which allows altering of encryption status 
in a relational database in a continuous process, which significantly reduces or eliminates the need for making the 
database unavailable or only partry available, overcoming the above mentioned problems. 
[0009] This object is achieved by means of a method according to the appended claims. 

Summary of the invention 

[0010] According to the invention, a method for altering encryption status in a relational database in a continuous 
process, wherein at least one table of said database comprises at least one base area and at least one maintenance 
area, comprising the steps of: copying all records from said base area to said maintenance area; directing action of 
commands intended for said base area to said maintenance area; altering encryption status of said base area; copying 
all data records from said maintenance area to said base area; and redirecting action of commands to said base area 
[0011] Hereby a method is provided which significantly improves the uptime of a database system. With this method 
the database owner easily can alter encryption settings in the database while it is up and running. Since a rerouting 
of the access is provided, data will always be accessible. Thus, the security administrator (SA) can independently of 
any constraints regarding when the database has to be up add or remove encryption when it is needed. For example 
if a security leak is found in a web-application such as an Internet store during rush hours, the management of that 
company would with previous solutions have had to decide whether to risk sales or risk that someone would Intrude 
in their system gaining access to unencrypted data in the database. This is eliminated with the method according to 
the invention. Another advantage is that regular maintenance work can be performed during daytime, reducing the 
need for costly overtime since the maintenance personnel don't have to work when the database can be taken offline, 
which mostly is during night hours. 

[0012] The term encryption status is to be understood as how to protect data elements In the base area, for Instance 



2 



EP1 2074G2 A2 



whether or not the data elements are subject for encryption. In another embodiment It could also be understood as 
changing the encryption level, from strong to weak. If the purpose is to remove encryption for data elements In the 
base area, the data elements are decrypted while they are copied to the maintenance area. Then, If the purpose If to 
add encryption to data elements, they are encrypted as they are copied to, or from, the maintenance area. Then, when 

5 the data elements are temporarily stored in the maintenance area, the settings could be changed for the base area. 
[0013] The database which is described comprises one or more tables. Action of commands could for example be 
reading commands resulting in a read operation, or a write command resulting In a write operation. 
[0014] Preferably, said step of directing is Implemented in a trigger which is added to said table. 
[001 5] In an embodiment of the present Invention said commands are data manipulation language (DML) statements. 

10 [0016] in an embodiment of the present Invention each base area in said database table have a corresponding 
maintenance area. 

[0017] In an embodiment of the present invention the method comprises the further step of emptying said base area 
before said step of altering. Preferably this done by updating all the records of the column with NULL. 
[0018] In an embodiment of the present invention the method comprises the further step of changing the data type 
f 5 of said base area. Preferably, this is changed to RAW. 

[0019] In an embodiment of the present invention said base area is a first column of said table and said maintenance 
area is a second column of said table. However the invention is not limited to this interpretation of an area, for example 
an area could comprise a set of columns. 

[0020] According to another embodiment of the invention a method for altering encryption status in a relational da- 
20 tabase in a continuous process, wherein at least one table of said database comprises at least one base area, and for 
each base area a corresponding area, comprising the steps of: activating encryption means for said corresponding 
column; directing action of commands intended for said base area to said maintenance area; copying all records from 
said base area to said corresponding area; and emptying said base area. 

[0021] Hereby a method is provided which, in addition to the above mentioned advantages, allows continuous en- 
25 cryption on tables that have explicit locks i.e. row exclusive (RX) or share row exclusive (SRX) locks. 

Brief description of the drawing 

[0022] For exemplifying purposes, the invention will be described to embodiments thereof illustrated In the attached 
30 drawing, wherein: 

Fig. 1 is a flow-chart illustrating an embodiment of a method according to the invention. 
Description of a preferred embodiment 

35 

[0023] Referring to fig. 1 , a method for altering encryption on column level in a relational database in a continuous 
process, without the need for taking the database offline according to a preferred embodiment of the invention is now 
to be described. In this embodiment the altering is performed on column level. 

[0024] The tables I and II below Illustrates an example of a database table, "tab", for which encryption is to be added 
40 to a column. Table I describes the structure of the database table "tab" and Table II is an example of the contents in 
such a table. 



Tablet 
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Data element 


Data type 


Value 


Comment 


custjd 


NUMBER 


NOT NULL 


Primary key 


name 


VARCHAR2(64) 


NOT NULL 




date_ofJ>irth 


DATE 


NOT NULL 




user_name 


VARCHAR2(32) 


NOT NULL 




password 


VARCHAR2(32) 


NOT NULL 


To be encrypted 


maint 


VARCHAR2(32) 


NULL 
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Table II 



5 



10 



custjd 


name 


date_of_blrth 


ueer.name 


password 


malnt 


1001 


MAX 


19910101 


MNN 


abc 


NULL 


1002 


MARTIN 


19920202 


MKR 


cdf 


NULL 


1003 


JOHAN 


19930303 


JON 


ghi 


NULL 


1004 


MARIE-LOUISE 


19940404 


MLA 


jkl 


NULL 



[0025] The method comprises a first step S1 , wherein data is copied from the base column "password" to the main- 
tenance column "maint". The contents of "tab" after the step S1 are shown in Table III. 



Table III 
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custjd 


name 


date_of_birth 


U8er_name 


password 


malnt 


1001 


MAX 


19910101 


MNN 


abc 


abc 


1002 


MARTIN 


19920202 


MKR 


cdf 


cdf 


1003 


JOHAN 


19930303 


JON 


ghi 


ghi 


1004 


MARIE-LOUISE 


19940404 


MLA 


jkl 


jkl 



[0026] Preferably, if needed, the method contains a step, which checks whether the column "password" is nullable, 
i.e the column does not have a NOT NULL constraint. Then the column is altered to be nullable. 
[0027] In another step S2 a trigger is added. The object of the trigger is to direct all commands aimed at the base 
column to the maintenance column, i.e. a synchronization function. Thus, when a user for example sends a update 
command for the base column, this command is directed to the maintenance column. In order to overcome problems 
during copying and activation of the trigger, the trigger could be built up from several steps. For instance, it could first 
synchronize the base and the maintenance column; then when the contents are identical, stop updating the base 
column at the same time let the maintenance column take over the actions taken on the base column. Preferably the 
copying of the records from the base column is performed simultaneously with the addition of the trigger. 
[0028] In another step S3, the base column "password" is emptied. For instance, this could be performed by updating 
the base column with NULL. Preferably, if ft is required by the later applied encryption, the method comprises the further 
step S4, wherein the table is altered In order to change the base column data type to the data type RAW. The present 
structure and contents of "tab" is described in tables IV and V, respectively. 



Table IV 
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Data element 


Data type 


Value 


Comment 


custjd 


NUMBER 


NOT NULL 


Primary key 


name 


VARCHAR2(64) 


NOT NULL 




date_of_birth 


DATE 


NOT NULL 




userjiame 


VARCHAR2(32) 


NOT NULL 




password 


RAW 


NULL 


To be encrypted 


maintenance 


VARCHAR2(32) 


NOT NULL 





Table V 
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custjd 


name 


date_of_blrth 


userjiame 


password 


malnt 


1001 


MAX 


19910101 


MNN 


NULL 


abc 


1002 


MARTIN 


19920202 


MKR 


NULL 


cdf 


1003 


JOHAN 


19930303 


JON 


NULL 


ghi 


1004 


MARIE-LOUISE 


19940404 


MLA 


NULL 


jkl 
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[0029] Then, the step S5 of activating encryption means is performed. Thus, all data written to the base column 
"passworcT will now be written in encrypted form. The means for encryption could be a standard software or hardware, 
for example a apparatus with a DES algorithm. The data is read from the maintenance column and processed by 
encryption means. The encryption could be either symmetrical or asymmetrical, for example DES or RSA respectively. 
5 [0030] After step S5, the records from the maintenance column are copied to the base column through the encryption 
means in step S6. Thus, the contents of the base column "password" is now stored in an encrypted form. 
[0031] Then the trigger is removed in step S7. This is done in such a manner that synchronization problems are 
overcome. Preferably the copying of the records from the maintenance column is performed simultaneously with the 
removal of the trigger. 

io [0032] Since the maintenance column now contains unencrypted data, It is Important that this column is emptied, 
which Is performed in step S8. This can be performed by either updating the column with NULL or writing a random 
value Into the column. Then this example table, "tab", will have the contents as shown in table VI. 



Table VI 
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custjd 


name 


date.of.birth 


U8er_name 


password 


malnt 


1001 


MAX 


19910101 


MNN 


7je 


NULL 


1002 


MARTIN 


19920202 


MKR 


skj 


NULL 


1003 


JOHAN 


19930303 


JON 


9fJ 


NULL 


1004 


MARIE-LOUISE 


19940404 


MLA 


xjr 


NULL 



[0033] In order to let the altering of the table have effect on views, the views have to be recreated after each ALTER 
of a table. 

25 [0034] An alternative embodiment will now be described. The above mentioned embodiment is used under the pre: 
sumption that there are not any table locks (RX/RSX = Row Exclusive/Row Share Exclusive) on the table. In the case 
of such database locks, additional maintenance columns have to be added in advance. This is preferably performed 
during installation or planned maintenance, and has not to be done when the actual adding or removing of encryption 
takes place. Thus, there will be created a maintenance column for each column, which Is not currently encrypted. The 

30 method according to the alternative embodiment is similar to the preferred embodiment described above and comprises 
of the steps: activating encryption means for the maintenance columns corresponding to the base column, which is to 
be encrypted; adding a trigger to the table, which transfers action of data manipulation language (DML) statements 
intended forthe base column to the maintenance column; copying all records f rom the base column to the corresponding 
maintenance column through the encryption means; and emptying said base column. 

35 [0035] The invention has been described above in terms of a preferred embodiment. However, the scope of this 
invention should not be limited by this embodiment, and alternative embodiments of the invention are feasible, as 
should be appreciated by a person skilled in the art. For example, If a column has a constraint Indicating that a value 
of a column can not be NULL, and this column is to be encrypted, the constraint has to be removed temporarily. Also, 
the method could also be used for changing the strength of encryption on an chosen area or when keys are to be 

40 changed, or when data is to be reencrypted. 

[0036] Such embodiments should be considered to be within the scope of the Invention, as it is defined by the ap- 
pended claims. 

45 Claims 

1. A method for altering encryption status in a relational database in a continuous process, wherein at least one table 
of said database comprises at least one base area and at least one maintenance area, comprising the steps of: 

50 copying all records from said base area to said maintenance area; 

directing action of commands intended for said base area to said maintenance area; 
altering encryption status of said base area; 

copying all data records from said maintenance area to said base area; and 
redirecting action of commands to said base area. 

55 

2. A method according to claim 1 , wherein said step of directing is implemented in a trigger which is added to said table. 
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3. A method according to any of the preceding claims, wherein said commands are data manipulation language 
(DML) statements. 

4. A method according to any of the preceding claims, wherein each base area in said database table have a corre- 
sponding maintenance area. 

5. A method according to any of the preceding claims, comprising the further step of: 

emptying said maintenance area. 

6. A method according to any of the preceding claims, comprising the further step of: 

emptying said base area before said step of altering. 

7. A method according to claim 6, wherein said step of emptying the base area comprises the step of. 

updating all the records of the column with NULL. 

8. A method according to any of the preceding claims, comprising the further step of. 

changing the data type of 6aid base area. 

9. A method according to claim 8, wherein the data type of the base column is changed to the data type RAW. 

10. A method according to any of the preceding claims, wherein said base area is a first column of said table and said 
maintenance area is a second column of said table. 

1 1 . A method for altering encryption status in a relational database in a continuous process, wherein at least one table 
of said database comprises at least one base area, and for each base area a corresponding area, comprising the 
steps of: 

activating encryption means for said corresponding column; 
directing action of commands intended for said base area to said maintenance area; 
copying all records from said base area to said corresponding area; and 
emptying said base area. 
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